[Update] Documentation for sniff WordPress.PHP.DiscouragedPHPFunctions

[jasonkenison]

Related to #1722

Continuing requested edits from #2494

Updated indentation, added tags and a line break at the end of the file.

Closes #2494

[jasonkenison]

Added more details with code obfuscation examples in the final standard.

[rodrigoprimo]

Thanks for creating this PR, @jasonkenison!

I left some comments with suggestions. Let me know if you have questions.

[rodrigoprimo]

This block and most of the blocks below are missing <em> tags.

[rodrigoprimo]

I think that just a single valid example encoding $array is enough. I don't see a reason for two. Maybe keep this line and remove the one above?

[rodrigoprimo]

I don't have a specific suggestion, but I think this title can be improved. Maybe Using JSON to encode data or JSON encoding data. As a non-English native speaker, I'm not sure, but I don't think the examples below are about Using JSON for serialized data as the data is not necessarily serialized before it is passed to the JSON functions. Makes sense?

[rodrigoprimo]

Please double-check, but I believe the examples provided here actually trigger the sniff and thus are invalid. If I'm correct, the sniff triggers a warning if one of those functions is used, regardless of how it is used. It is up to a developer to determine if the function is used for benign purposes if they want to keep it. Let me know if you need help testing the sniff.

[rodrigoprimo]

I'm unsure (here and in other <code_comparison> blocks) if it is necessary to include an example for every single function that triggers the sniff. Please check other sniff XML docs if you can, but I believe it is more common to just include one example (if all the others are the same except for the function name). Then, if the list is not too long, you can consider mentioning all the functions in the corresponding <standard> description. What do you think?

[rodrigoprimo]

Maybe it is better to use a variable name other than $array here as this function takes an string as its first parameter? The same applies to the json_decode() example above.

Please check if other variables could be renamed as well for the same reason in the other examples.

[rodrigoprimo]

Maybe it is not necessary to include the second sentence? The sniff will trigger anyway if it finds urlencode(). If there is a reason to include the second sentence, maybe it makes sense to add another sentence explaining what determines the cases where legacy applications should use urlencode(). I don't remember off the top of my head.

[rodrigoprimo]

Here and in all other <standard> blocks, the description should be indented four spaces.

Suggested change

	Use JSON instead of serialized data, which has known vulnerability problems with object injection.
	Use JSON instead of serialized data, which has known vulnerability problems with object injection.

[rodrigoprimo]

Missing period

Suggested change

	<code title="Invalid: Changing configuration at runtime">
	<code title="Invalid: Changing configuration at runtime.">

[rodrigoprimo]

Since this sniff triggers a warning and not an error, I suggest rephrasing this description to make it explicit that it is a recommendation. The description above is a code example. Maybe something like "Avoid using PHP system calls as they are often disabled by server administrators."